[Filebeat] Azure Signin Module authentication_processing_details Issue #34330
Comments
botelastic
bot
added
the
needs_team
mr1716
changed the title
tetianakravchenko
added
the
Team:Cloud-Monitoring
botelastic
bot
removed
the
needs_team
|
@elastic/obs-cloud-monitoring fyi |
|
@zmoog curious to see what is found and if changes are required. This only happens when there’s a period in that last field value key |
|
Let me run some tests to understand how these kinds of logs are ingested and indexed. |
|
I tried to ingest the test document test-non-interactive-user-signin.log you @mr1716 mentioned using Filebeat 8.6.1. With an input document containing this snippet: {
"authenticationProcessingDetails": [
{
"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)",
"value": "False"
},
{
"key": "Oauth Scope Info",
"value": "[User.Read,Userinfo.ReadWrite]"
},
{
"key": "Is CAE Token",
"value": "False"
}
]
}The end result is the following: {
"authentication_processing_details": {
"Legacy TLS (TLS 1": {
"0, 1": {
"1, 3DES)": "False"
}
},
"Oauth Scope Info": "[User.Read,Userinfo.ReadWrite]",
"Is CAE Token": "False"
}
}There is room for improvement. |
|
TIL the I am trying to replace the Starting from: {
"authenticationProcessingDetails": [
{
"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)",
"value": "False"
},
{
"key": "Oauth Scope Info",
"value": "[User.Read,Userinfo.ReadWrite]"
},
{
"key": "Is CAE Token",
"value": "False"
}
]
}if I use this I get the following result: {
"authentication_processing_details": {
"Oauth Scope Info": "[User.Read,Userinfo.ReadWrite]",
"Legacy TLS (TLS 1.0, 1.1, 3DES)": "False",
"Is CAE Token": "False"
}
} |
|
@zmoog any way to do that in JavaScript? |
|
@UcanInfosec, according to the Available scripting language, unfortunately JavaScript is not one of them. The most interesting and used option is the Painless scripting language. It is a good option to write down expressions or small snippets of code to transform data. |
|
@mr1716 @UcanInfosec does the new document structure work for your use cases? {
"authentication_processing_details": {
"Oauth Scope Info": "[User.Read,Userinfo.ReadWrite]",
"Legacy TLS (TLS 1.0, 1.1, 3DES)": "False",
"Is CAE Token": "False"
}
}I am creating a quick PR to gather feedback from other team members. |
|
@zmoog I think the question that @UcanInfosec had was how would we do this same thing if it were done in native Filebeat, not Elastic Painless. The new structure works good. Just curious how to do what you did in native filebeat |
|
@mr1716, what do you mean by 'native Filebeat'? Here's how Filebeat collects the logs from Azure and publishes them to Elasticsearch. The azure-eventhub input connects to the Azure event hub and fetches the logs. The input sends the logs to the data stream, where an ingest pipeline processes them before the indexing. The azure-eventhub input does not process the logs. It is the Filebeat adapter to access the event hub. All the processing and data transformation from the source format from Azure to the document in Elasticsearch happens in the ingest pipeline. |
|
@zmoog how would the painless script be converted into a filebeat script processor? |
|
Because it’s fine when there are spaces but not periods originally |
For existing Filebeat modules and integrations, the processors are defined as YAML files and created in Elasticsearch during installation. For example, here are the source for the sign-in logs ingest pipelines: If you want to add a script processor to a new or existing pipeline, you can do it in Kibana or Dev Tools. For example, in Kibana, you can:
I you want to get started with the Painless scripting language, then Painless scripting language is a good starting point. |
The set processor expands the dots in field names into subfields. For example, given the following pipeline in the Dev Tools: If we simulate the pipeline execution using the empty test object I get the following result: The {
"a": {
"b": {
"c": true
}
}
}We proposed the fix https://github.com/elastic/integrations/pull/5129/files#diff-274e12d0961404cd66da857b49259663133debe54e6cc0b9e0832114450785c8 that replaces for If it works for you, we'll port the fix from the integrations repo to beats. |
|
As long as it fixes this, let’s do it. This needs to get fixed |
|
Great. I am finalizing the two PRs for both Beats and Elastic Agent integration. |
|
Recap:
Fixes implemented in: |
|
Targeting to ship this fix in the following Beats releases:
And in the Azure Logs integration 1.5.7 |
The log is found in the official Elastic Repository at: https://github.com/elastic/beats/blob/main/x-pack/filebeat/module/azure/signinlogs/test/test-non-interactive-user-signin.log-expected.json
For the Azure Signin Module, the following field should have the periods in "Legacy TLS (TLS 1.0, 1.1, 3DES)" replaced with an underscore or another value. When the value is unflattened, Filebeat views the periods as subfields, which is not the intent.
"azure.signinlogs.properties.authentication_processing_details.Legacy TLS (TLS 1.0, 1.1, 3DES)": "False",
It should be something like:
"azure.signinlogs.properties.authentication_processing_details.Legacy TLS (TLS 1_0, 1_1, 3DES)": "False",
The text was updated successfully, but these errors were encountered: